How small businesses can avoid opportunistic attacks on servers.
Due to their undeniable benefits in terms of performance, data management, and enabling online collaboration, servers have become the backbone of businesses of all sizes. Even small offices and home offices (SOHO) use them if their line of work requires specialized software or the management of huge amounts of data.
But what business owners see as a great tool to increase their productivity, cybercriminals usually perceive as an opportunity. Indeed, cybercriminals know that servers handle important business information and processes, and if they break in, they can potentially access the whole business environment.
This recent ESET Research blog about malware attacking servers via the use of the EfsPotato and BadPotato exploits shows that cybercriminals aren’t overly picky about their targets. Being small or seemingly uninteresting is no protection.
Because smaller businesses often lack the IT expertise and robust protection measures of their bigger counterparts, ESET has brought help via ESET Server Security, a part of the unified business security platform ESET PROTECT. Now Small/Home Offices (SOHO) can find big protection via ESET Safe Server, which has been incorporated into ESET Small Business Security.
Handling sensitive data with a sensitive budget
The importance of servers can be seen through their market growth. The global server market size was valued at $136.69 billion in 2024 and is projected to grow from $145.15 billion in 2025 to $237.00 billion by 2032. It’s important to note that those numbers are affected by current AI computing power demands.
The wide use of servers naturally attracts cybercriminals who don’t want to miss any opportunities to steal money or data. Servers are common assets involved in almost all breaches (95%) documented in the latest Verizon 2025 Data Breach Investigations Report.
Small and Medium Businesses (SMBs) and SOHOs can be especially vulnerable to such cyberattacks. For example, a Kinetic Business 2025 Report shows that less than half (49%) of respondents prioritize cybersecurity investments despite a majority (59%) of them seeing cybersecurity as their priority. On top of that, more than half (52%) of respondents said they lack confidence in their cybersecurity preparedness and resources.
When it comes to SOHOs, 41% of micro businesses (up to 9 employees) in the U.K. experienced a breach or cyberattack in the last year. Yet only 16% considered the cybersecurity aspect when purchasing new software, according to The Cyber Security Breaches Survey 2025.
This 2023 Australian Government survey among SMBs and micro businesses shows that more than 60% experienced a cybersecurity incident, but almost half of SMBs rated their cybersecurity understanding as “average” or “below average” and 48% spent less than $500 on cybersecurity per year.
Servers and their backdoors
However, in the world of automated opportunistic attacks against servers, having complex cybersecurity protection is necessary.
Recently, ESET Researchers identified a new threat actor, named GhostRedirector, which compromised at least 65 Windows servers around the globe, mainly in Brazil, Thailand, and Vietnam. These victims are not related to any specific sector, and their businesses vary from insurance and healthcare to retail, transportation, technology, and education.
While the initial access to the victims’ servers remains unknown, ESET researchers believe that the attackers exploited a server vulnerability using a technique called SQL injection. It involves inserting malicious code lines into the code of a compromised application. Using this technique, attackers could completely change the logic behind SQL commands and, for example, make every login attempt successful no matter what credentials were used.
After gaining a foothold in the targeted system, cybercriminals could utilize a passive C++ backdoor allowing them to execute commands on a compromised server or the publicly known exploits EfsPotato and BadPotato to create a privileged user on the server, which could then be used to download and execute other malicious components with higher privileges.
Interestingly, attackers could also deploy other malicious tools that make SEO fraud as-a-service available – manipulating the search engine results in favor of a configured target website. In this case, ESET researchers saw tampered SEO results favoring a gambling website.
Protecting servers
As you can see, servers are a critical aspect of business security, and one compromised server can lead to further attacks – just like one bad potato can spoil the whole bag.
And unfortunately, malicious campaigns like the one conducted by GhostRedirector are quite common. Only a few months earlier, ESET researchers published a blog about the RoundPress campaign using a similar technique called XSS injection targeting webmail servers.
To protect their applications running on servers, businesses can make adjustments such as input validation, parameterized queries, or restriction on the app’s access to other parts of the system. But let’s be honest, chances are that smaller businesses don’t have human or financial resources to do that.
So, what can you really do to make servers safer? The basic preemptive measures involve keeping your software updated, using strong passwords together with 2FA, and learning how to spot phishing attacks.
To stop more sophisticated attacks, businesses need a reliable cybersecurity solution – both SQL and XSS injections are fileless attacks that are difficult to discover by simple file-scanning cybersecurity tools.
ESET solutions
ESET Safe Server (part of ESET Small Business Security), tailored for SOHO, has all the necessary tools to discover and stop threats such as the GhostRedirector’s campaign targeting Windows servers and data stored there. Here are some of the key features:
- Antivirus & Antispyware – They proactively detect and clean both known and unknown viruses, worms, trojans, and rootkits. Advanced heuristics flags even never-before-seen malware.
- Web Access Protection and Anti-Phishing – These features monitor communication between web browsers and remote servers (including SSL) and scan it for malware and phishing.
- Exploit Blocker – It monitors typically exploitable applications (browsers, document readers, email clients, Flash, Java, and more), searching for use of exploitation techniques. When the Exploit Blocker is triggered, the threat is blocked immediately on the machine.
- HIPS – The HIPS system monitors the events within the operating system and reacts to them according to a customized set of rules – giving the user the possibility to customize the behavior of the system in greater detail.
- ESET LiveGrid® – This is a cloud-powered reputation tool assessing files and running processes.
- Ransomware Shield – It monitors the behavior of applications and processes, focusing on those that try to modify files in a way common for ransomware/filecoders. If a suspicious behavior is detected, Ransomware Shield stops it and notifies the user.
- Device Control – Automatically scans all USB flash drives, memory cards, and CDs/DVDs.
ESET Server Security (part of ESET PROTECT) offers even more robust protection and deeper management possibilities, adding capabilities such as OneDrive scan, Hyper-V scan, ESET Cluster, Automatic exclusions, and ESET Shell to the list.
Set and protect
Doing business in an era of automated sophisticated cyberattacks is difficult, especially considering that they have the potential to finish smaller firms off quickly due to their limited resources.
Luckily, you don’t need to boil the ocean to cook a potato – not every threat requires a dedicated cybersecurity solution. Instead, ESET brings all-in-one protection to smaller businesses for an affordable price and a set-and-protect mindset that doesn’t require exhausting maintenance.
Frequently asked questions (FAQs)
1. Why are servers a major target for cyberattacks?
Servers are involved in a majority of breaches. They are often prime targets for cybercriminals due to their central role in storing and processing sensitive data.
2. Why are small businesses especially vulnerable to cyber threats?
Many SMBs and SOHO businesses lack the budget and expertise for robust cybersecurity. Surveys show that less than half prioritize cybersecurity investments.
3. What basic steps can small businesses take to protect their servers?
Many crucial precautions don’t require professional IT teams or high spending. Keep software updated, use strong passwords, enable 2FA, and train your staff to recognize phishing attacks. Also, having a robust cybersecurity protection solution is a must.
4. Why is simple antivirus not enough?
More advanced techniques like fileless attacks targeting servers (SQL and XSS injections) are difficult to detect using simple file-scanning tools.
5. How does ESET Safe Server help protect SOHO environments?
ESET Safe Server includes features like Antivirus, Anti-Phishing, Exploit Blocker, Ransomware Shield, and Device Control, which can detect and stop threats targeting Windows servers.
6. Isn’t ESET Safe Server too expensive and too difficult to operate for SMBs?
No. ESET Safe Server is part of ESET Small Business Security, a set-and-protect solution tailored for SOHOs. This means that the price and the level of skill required to operate the security management platform ESET HOME is favorable for smaller businesses. Mid-sized businesses can utilize even more powerful protection with ESET PROTECT Complete.
